Implementing Business Continuity With The Bs25999 Standard By Dennis


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The PDCA cycle is the means of ensuring that business continuity is effectively managed and improved.PDCA cycle applies to all parts of the BCM cycle.
  • Initial creation of the plan is treated like a project, using traditional project management techniques. However, business needs change, new processes may be added. If they are “critical,” they must become part of the BCP. Part of the project to create the BCP must build in business processes for plan maintenance.
  • Phases are covered in detail in next slides
  • If you don’t establish need, how can you get management support? A BCP costs a lot to develop and maintain. No ROI either. Functional leads are necessary because the IT staff don’t understand the business. The BCC is the project manager for the BCP creation, the most important person. The work plan will be like the phases of a traditionally managed project
  • A lot of the BCP creation is driven by the MTDs assigned to various business functions, so the BIA is very important.
  • On the second bullet, for instance, the question is not “how likely is it we’ll suffer a total loss of our data center from a fire?” The question is “what would be the loss to the business if we suffered the total loss of our data center?” Some losses may be quantified fairly exactly. Others have to be estimated as carefully as possible. An example of the latter would the cost to the business in loss of consumer confidence from an extended outage. For instance, what if Purdue were unable to hold classes for four weeks because we couldn’t deliver our electronic instruction? How would parents of potential Purdue students react to that? And how much would it cost?
  • There are nine phases to the BIA. Selection of interviewees is very important. These will be the subject matter experts from the business units, and they have to be the people who know the business. Customize questionnaire: there is no standard set of questions – it varies with each business Time-criticality – some processes are more critical than others. Printing a payroll is important, but not time-critical usually. if you’re, keeping your web site up is critical. The business won’t go under if you print paychecks a couple of days late, but they would lose millions in potential revenue if their web site were down for a day. The BIA aims to rank-order business processes in these terms.
  • MTD – maximum tolerable downtime MAO – maximum allowable downtime Recovery options will range in price and effort – must match them appropriately with the criticality of business functions
  • Predefined means we don’t have to make it up as we go along. We have a documented, tested plan in place. Management approved means you will get the resources to implement the BCP.
  • Driven by business requirements means going back to the BIA, which identified critical business processes and ranked them in terms of the MTD/MAO.
  • Business operations were enumerated in the BIA – what IT and other requirements are necessary to support them? Facilities and supplies – where do I sit at the DR site? Where is my conference room? Do I get a whiteboard? And by the way, I need a pencil. Users – can manual processes be used as part of DR? If so, how does the manual processing get integrated back into the electronic processing later? Do we need housing, transportation? Recovery of data centers and networks is an obvious necessity requiring careful planning. There are technical solutions available, though. (Bring money.) You mean we’ve got all these computers in the DR site and no data? Who forgot the DATA?? I’m only going to go into detail on the last two bullets. The first three are also quite detailed planning processes.
  • Full backups are what you think they are – everything. Incremental backups are files changed since *previous* backup, which might be a full backup or an incremental. Potentially a long recovery period. Differential backups are all files changed since previous full backup – quicker recovery. Continuous backups – like a journal file system, or like Oracle’s Dataguard hot spare environment. Geographically separated systems are kept up to date in real time.
  • Step one above is what you might think of as the BCP, but the next 3 bullets are equally important.
  • Plan phases – i.e., what would happen if a disaster occurred. The last phase, interacting with external entities, may actually begin immediately, probably with the decision that a disaster has occurred and the business is going to implement the BCP. An initial communication may be out to stakeholders at that point.
  • Structured walk-through – step-by-step review of the BCP by functional reps who meet together – no one is actually walking anywhere Checklist – similar to SWT but checklists are distributed to business units, who review the checklists individually Simulation – kind of like “war games” – simulation stops at point where equipment would be relocated Parallel – DR site is put into full operation without taking down the primary – results compared between the two Full interruption – Full-scale test of BCP by a planned fail-over to the secondary site and fail-back to the primary. Risky. Note: more than one kind of test may be useful. For instance, a simulation and a parallel test complement each other.
  • Implementing Business Continuity With The Bs25999 Standard By Dennis

    1. 1. Implementing business continuity with BS25999 standard Presenter Dennis Kaburu
    2. 2. What is BS 25999? <ul><li>BS 25999 is a two-part British Standard that illustrates what organisations should do to establish demonstrably robust business continuity processes, and how they can evaluate their own processes or those of others who they depend on. </li></ul><ul><li>Part 1: Code of Practice (BS 25999-1:2006) was published in November 2006. It is in the form of guidance and recommendations that illustrate how to develop and maintain a robust BCM system based on good practice. </li></ul><ul><li>Part 2: Specification (BS 25999-2:2007) was published in November 2007. It defines requirements for a management systems approach to BCM, against which organisations can be measured formally or informally. </li></ul>
    3. 3. BS25999-1 :code of Practice <ul><li>Provides guidance on the implementation of the standard </li></ul><ul><li>It establishes the process, principles and terminology of BCM. </li></ul><ul><li>It provides a basis for understanding, developing and implementing business continuity within an organisation and in that organisation’s dealings with suppliers, customers and other organisations. </li></ul><ul><li>It applies to organisations of all sizes and sectors and is intended to be used by anyone who has responsibilities for business operations or the provision of services. </li></ul>
    4. 4. What does BS25999-1 do? <ul><li>BS25999-1 establishes the process, principles and terminology of BCM. </li></ul><ul><li>It provides a basis for understanding, developing and implementing business continuity within an organisation and in that organisation’s dealings with suppliers, customers and other organisations. </li></ul><ul><li>It enables the organisation to measure its own and others BCM capabilities in a consistent and recognised manner. </li></ul><ul><li>It applies to organisations of all sizes and sectors and is intended to be used by anyone who has responsibilities for business operations or the provision of services. </li></ul>
    5. 5. What are the outcomes of BS25999-1? <ul><li>It establishes that the outcomes of an effective BCM programme will be: </li></ul><ul><li>key products and services are identified and protected, ensuring their continuity </li></ul><ul><li>an incident management capability is enabled to provide an effective response </li></ul><ul><li>the organisation’s understanding of itself and its relationships with other organisations, relevant regulators or government departments, local authorities and the emergency services is properly developed, documented and understood </li></ul><ul><li>staff are trained to respond effectively to an incident or disruption through appropriate exercising </li></ul><ul><li>stakeholder requirements and staff receive adequate support and communications in the event of a disruption </li></ul><ul><li>an organisation’s supply chain is secured </li></ul><ul><li>the organisation’s reputation is protected and </li></ul><ul><li>the organisation remains compliant with its legal and regulatory obligations </li></ul>
    6. 6. BS25999-2 :Specification <ul><li>BS 25999-2 specifies requirements for “planning, establishing, implementing, operating, monitoring, reviewing and improving a documented Business Continuity </li></ul><ul><li>Establishes Management System (BCMS) within the context of managing an organisation’s overall business risks”. It contains requirements that can be audited against, thus establishing an ability to evaluate the robustness of the BCMS in a consistent manner. </li></ul>
    7. 7. How BS25999-2 does this? <ul><li>In particular it emphasises the importance of: </li></ul><ul><li>a) understanding business continuity needs and the necessity for establishing policy and objectives for business continuity </li></ul><ul><li>b) implementing and operating controls and measures for managing an organisation’s overall business continuity risks </li></ul><ul><li>c) monitoring and reviewing the performance and effectiveness of the BCMS and </li></ul><ul><li>d) continual improvement based on objective measurement. </li></ul>
    8. 8. The BCM lifecycle as contained in BS 25999 is illustrated below
    9. 9. 1. BCM Culture <ul><li>Culture- Values and behaviors demonstrated by the business-transmitted and replicated throughtout the organisation </li></ul><ul><li>Development of a BCM culture is supported by: </li></ul><ul><ul><li>leadership from senior personnel in the organization; </li></ul></ul><ul><ul><li>assignment of responsibilities ; </li></ul></ul><ul><ul><li>awareness raising; </li></ul></ul><ul><ul><li>skills training; and </li></ul></ul><ul><ul><li>exercising plans. </li></ul></ul>
    10. 10. BCM Culture <ul><li>An organization with a positive BCM culture will: </li></ul><ul><li>D evelop a BCM programme more efficiently; </li></ul><ul><li>I nstil confidence in its stakeholders (especially staff and customers) in its ability to handle business disruptions; </li></ul><ul><li>I ncrease its resilience over time by ensuring BCM implications are considered in decisions at all levels; </li></ul><ul><li>M inimize the likelihood and impact of disruptions.. </li></ul>
    11. 11. Embedding BCM in the organization's culture <ul><li>To be successful, business continuity has to become part of the way that an organization is managed, regardless of size or sector </li></ul>
    12. 12. BCM Documentation <ul><li>Scope and objectives of the BCM and procedures </li></ul><ul><li>BCM policy </li></ul><ul><li>Provision of resource </li></ul><ul><li>Competnency of BCM personnel and associated training records </li></ul><ul><li>Business Impact Analysis </li></ul><ul><li>Risk Assessment </li></ul><ul><li>Business Continuity strategy </li></ul><ul><li>Incident response structure </li></ul><ul><li>Business continuity plans and incident management plans </li></ul><ul><li>BCM Exercising </li></ul>
    13. 13. BCM Documentation (contd) <ul><li>Maintainance and review of BCM arrangements </li></ul><ul><li>Preventive and corrective actions </li></ul><ul><li>Continual improvement </li></ul><ul><li>BCM Policy </li></ul><ul><li>States the organisation’s BCM objectives </li></ul><ul><li>Provides documented principles,guidelines and minimum standards for BCM </li></ul><ul><li>Defines the scope of BCM </li></ul>
    14. 14. Determining BC Strategy <ul><li>People </li></ul><ul><li>Locations </li></ul><ul><li>Technology </li></ul><ul><li>Information </li></ul><ul><li>Supplies </li></ul><ul><li>Stakeholders </li></ul><ul><li>Civil emergencies </li></ul>
    15. 15. Determining BC Strategy <ul><li>People </li></ul><ul><li>Documentation of the way in which critical activities are performed </li></ul><ul><li>Multi-skill training of staff and contractors </li></ul><ul><li>separation of core skills to reduce the concentration of risk </li></ul><ul><li>use of third parties </li></ul><ul><li>succession planning </li></ul><ul><li>knowledge retention and management </li></ul>
    16. 16. Determining BC Strategy <ul><li>Locations </li></ul><ul><li>alternative premises (locations) within the organization </li></ul><ul><li>alternative premises provided by other </li></ul><ul><li>alternative premises provided by third-party specialists </li></ul><ul><li>working from home or at remote sites </li></ul><ul><li>other agreed suitable premises </li></ul><ul><li>use of an alternative workforce in an established site </li></ul>
    17. 17. Determining BC Strategy <ul><li>Technology </li></ul><ul><li>Technology strategies will depend on the nature of the </li></ul><ul><li>technology employed and its relationship to </li></ul><ul><li>critical activities, but will typically be one or a </li></ul><ul><li>combination of the following: </li></ul><ul><li>provision made within the organization; </li></ul><ul><li>services delivered to the organization; and </li></ul><ul><li>services provided externally by a third party </li></ul>
    18. 18. Determining BC Strategy <ul><li>Technology strategies may include: </li></ul><ul><li>geographical spread of technology, i.e. </li></ul><ul><li>maintaining the same technology at different </li></ul><ul><li>locations that will not be affected by the same </li></ul><ul><li>business disruption; </li></ul><ul><li>holding older equipment as emergency replacement or spares; and </li></ul><ul><li>additional risk mitigation for unique or long </li></ul><ul><li>lead time equipment. </li></ul>
    19. 19. Determining BC Strategy <ul><li>Information technology (IT) services frequently need complex </li></ul><ul><li>continuity strategies. &quot;Where such strategies are </li></ul><ul><li>required, consideration should be given to: </li></ul><ul><li>recovery time objectives (RTOs) for systems </li></ul><ul><li>and applications which support the key activities </li></ul><ul><li>identified in the BIA; </li></ul><ul><li>location and distance between technology sites; </li></ul><ul><li>number of technology sites; </li></ul><ul><li>remote access; </li></ul><ul><li>the use of un-staffed (dark) sites as opposed to staffed sites; </li></ul><ul><li>telecoms connectivity and redundant routing; </li></ul><ul><li>the nature of &quot;failover” </li></ul><ul><li>third-party connectivity and external links. </li></ul>
    20. 20. Determining BC Strategy <ul><li>Information </li></ul><ul><li>Any information required for enabling the delivery of the organization's critical activities should have appropriate: </li></ul><ul><li>Confidentiality ; integrity; availability; currency. </li></ul><ul><li>Information strategies should be documented </li></ul><ul><li>for the recovery of information ; </li></ul><ul><li>Information strategies should extend to include: </li></ul><ul><li>physical (hardcopy) formats; and </li></ul><ul><li>virtual (electronic) formats, etc. </li></ul>
    21. 21. Determining BC Strategy <ul><li>Supplies </li></ul><ul><li>The organization should identify and maintain an </li></ul><ul><li>inventory of the core supplies ; </li></ul><ul><li>storage of supplies at another location; </li></ul><ul><li>arrangements with third parties for delivery of s </li></ul><ul><li>tock at short notice; </li></ul><ul><li>diversion of just-in-time deliveries </li></ul><ul><li>holding of materials at warehouses or shipping sites; </li></ul><ul><li>transfer of sub-assembly operations to an </li></ul><ul><li>alternative location which has supplies; </li></ul><ul><li>identification of alternative/substitute supplies </li></ul>
    22. 22. Determining BC Strategy <ul><li>Where critical activities are dependent upon specialist supplies, </li></ul><ul><li>the organization should identify the key suppliers </li></ul><ul><li>and single sources of supply. Strategies to manage </li></ul><ul><li>continuity of supply may include: </li></ul><ul><li>increasing the number of suppliers; </li></ul><ul><li>encouraging or requiring suppliers to have a </li></ul><ul><li>validated business continuity capability; </li></ul><ul><li>contractual and /or service level agreements </li></ul><ul><li>with key suppliers; or </li></ul><ul><li>the identification of alternative, capable suppliers. </li></ul>
    23. 23. Determining BC Strategy <ul><li>Stakeholders </li></ul><ul><li>When determining appropriate BCM strategies . </li></ul><ul><li>These strategies should take into account relevant s </li></ul><ul><li>social and cultural considerations. </li></ul><ul><li>The organization should identify appropriate strategies to manage </li></ul><ul><li>relationships with key stakeholders, business or </li></ul><ul><li>service partners and contractors. </li></ul><ul><li>The organization should identify a person or </li></ul><ul><li>persons who will discharge responsibility for </li></ul><ul><li>welfare issues following an incident . </li></ul>
    24. 24. Determining BC Strategy <ul><li>Civil emergencies </li></ul><ul><li>Organizations seeking to determine, implement or </li></ul><ul><li>validate strategies for incident management and </li></ul><ul><li>business continuity management should become </li></ul><ul><li>familiar with official local responder bodies at an </li></ul><ul><li>early stage . </li></ul><ul><li>Key responders will be instrumental in officially </li></ul><ul><li>declaring that a civil emergency has occurred and </li></ul><ul><li>in providing: </li></ul><ul><li>pre- or post-incident advice (e.g. risk assessments); </li></ul><ul><li>warning and informing procedures; and </li></ul><ul><li>community recovery arrangements following a civil emergency. </li></ul>
    25. 25. Developing and implementing a BCM response <ul><li>1. Introduction </li></ul><ul><li>2. Incident response structure </li></ul><ul><li>3. Content of plans </li></ul><ul><li>4. The incident management plan (IMP) </li></ul><ul><li>5. The business continuity plan(s) [BCP(s)] </li></ul><ul><li>7. Contents of the BCP </li></ul>
    26. 26. <ul><li>1. Introduction; </li></ul><ul><li>Organization should; </li></ul><ul><li>I dentify its critical activities , </li></ul><ul><li>E valuate threats to these critical activities , </li></ul><ul><li>C hoose appropriate strategies to reduce the likelihood and impacts of incidents , </li></ul><ul><li>C hoose appropriate strategies that provide for the continuity or recovery of its critical activities . </li></ul>
    27. 27. <ul><li>2. Incident R esponse S tructure ; </li></ul><ul><li>The organization should define an incident response structure </li></ul><ul><li>In any incident situation there should be a simple and quickly-formed structure that will enable the organization to: </li></ul><ul><li>confirm the nature and extent of the incident, </li></ul><ul><li>take control of the situation, </li></ul><ul><li>contain the incident, and </li></ul><ul><li>communicate with stakeholders. </li></ul><ul><li>This structure may be referred to as the incident management team (IMT) or crisis management team (CMT). </li></ul>
    28. 28. <ul><li>The team should have plans, processes and procedures to manage the incident and these should be supported by business continuity tools to enable continuity and recovery of critical activities. </li></ul><ul><li>The team should have plans for the activation, operation, coordination and communication of the incident response. </li></ul><ul><li>There are three main phases over time of an incident, and the relationship between incident management and business continuity . </li></ul>
    29. 29. Incident Timeline
    30. 30. <ul><li>Organizations may develop specific plans to recover or resume operations back to a &quot;normal&quot; state (recovery plans). However, in some incidents it might not be possible to define what &quot;normal&quot; looks like until some time after the incident, so that it might not be possible to implement recovery plans immediately. </li></ul>
    31. 31. 4. The I ncident M anagement P lan ( IMP) <ul><li>The IMP should: </li></ul><ul><li>be flexible, feasible, and relevant; </li></ul><ul><li>be easy to read and understand; and </li></ul><ul><li>provide the basis for managing all possible issues, including the stakeholder and external issues, facing the organization during an incident. </li></ul><ul><li>h ave top management support, including a board sponsor where applicable; and </li></ul><ul><li>b e supported by an appropriate budget for development, maintenance and training. </li></ul>
    32. 32. 6. The B usiness C ontinuity P lan(s) [BCP(s)] <ul><li>PURPOSE: </li></ul><ul><li>B usiness continuity plan (BCP) is to enable an organization to recover or maintain its activities in the event of a disruption to normal business operations. </li></ul><ul><li>BCPs are activated (invoked) to support the critical activities required to deliver the organization's objectives. </li></ul>
    33. 33. 7. Contents of the BCP <ul><li>Action plans/ task lists </li></ul><ul><li>The action plan should include a structured checklist of actions and tasks in an order of priority, highlighting: </li></ul><ul><li>how the BCP is invoked; </li></ul><ul><li>the person(s) responsible for invoking the business continuity plan; </li></ul><ul><li>the procedure that person should adopt in taking that decision; </li></ul><ul><li>the person(s) who should be consulted before such a decision is taken; </li></ul>
    34. 34. 7. Contents of the BCP <ul><li>the person(s) who should be informed once a decision has been taken; </li></ul><ul><li>who goes where, and when; </li></ul><ul><li>what services are available where, and when; including how the organization mobilizes external and third-party resources; </li></ul><ul><li>how and when this information is communicated; and </li></ul><ul><li>if relevant, detailed procedures for manual workarounds, system recovery, etc. </li></ul>
    35. 35. 7. Contents of the BCP <ul><li>Resource requirements </li></ul><ul><li>The resources required for business continuity and business recovery should be identified at different points in time. </li></ul><ul><li>a) P eople, which may include: </li></ul><ul><ul><li>security, </li></ul></ul><ul><ul><li>transportation logistics, </li></ul></ul><ul><ul><li>welfare needs, and </li></ul></ul><ul><ul><li>emergency expenses; </li></ul></ul><ul><li>b) P remises; </li></ul><ul><li>c) T echnology, including communications; </li></ul>
    36. 36. 7. Contents of the BCP <ul><li>Resource requirements </li></ul><ul><li>d) I nformation, which may include: </li></ul><ul><ul><li>financial (e.g. payroll) details, </li></ul></ul><ul><ul><li>customer account records, </li></ul></ul><ul><ul><li>supplier and stakeholder details, </li></ul></ul><ul><ul><li>legal documents (e.g. contracts, insurance policies, title deeds, etc.), </li></ul></ul><ul><ul><li>other services documents (e.g. service level agreements); </li></ul></ul><ul><li>e) S upplies; </li></ul><ul><li>f) M anagement of, and communication with, stakeholders. </li></ul>
    37. 37. 7. Contents of the BCP <ul><li>Responsible person(s) ; </li></ul><ul><li>The organization should identify a nominated person(s) to manage the business continuity and business recovery phases of a disruption. </li></ul><ul><li>Forms; </li></ul><ul><li>The business continuity plan should include an incident log or forms for the recording of vital information, especially in respect of decisions made. </li></ul>
    38. 38. Creating a BCP <ul><li>Is an on-going process, not a project with a beginning and an end </li></ul><ul><ul><li>Creating, testing, maintaining, and updating </li></ul></ul><ul><ul><li>“ Critical” business functions may evolve </li></ul></ul><ul><li>The BCP team must include both business and IT personnel </li></ul><ul><li>Requires the support of senior management </li></ul>
    39. 39. The five BCP phases <ul><li>Project management & initiation </li></ul><ul><li>Business Impact Analysis (BIA) </li></ul><ul><li>Recovery strategies </li></ul><ul><li>Plan design & development </li></ul><ul><li>Testing, maintenance, awareness, training </li></ul>
    40. 40. I - Project management & initiation <ul><li>Establish need (risk analysis) </li></ul><ul><li>Get management support </li></ul><ul><li>Establish team (functional, technical, BCC – Business Continuity Coordinator) </li></ul><ul><li>Create work plan (scope, goals, methods, timeline) </li></ul><ul><li>Initial report to management </li></ul><ul><li>Obtain management approval to proceed </li></ul>
    41. 41. II - Business Impact Analysis (BIA) <ul><li>Goal: obtain formal agreement with senior management on the MTD for each time-critical business resource </li></ul><ul><li>MTD – maximum tolerable downtime, also known as MAO (Maximum Allowable Outage) </li></ul>
    42. 42. II - Business Impact Analysis (BIA) <ul><li>Quantifies loss due to business outage (financial, extra cost of recovery, embarassment) </li></ul><ul><li>Does not estimate the probability of kinds of incidents, only quantifies the consequences </li></ul>
    43. 43. II - BIA phases <ul><li>Choose information gathering methods (surveys, interviews, software tools) </li></ul><ul><li>Select interviewees </li></ul><ul><li>Customize questionnaire </li></ul><ul><li>Analyze information </li></ul><ul><li>Identify time-critical business functions </li></ul>
    44. 44. II - BIA phases (continued) <ul><li>Assign MTDs </li></ul><ul><li>Rank critical business functions by MTDs </li></ul><ul><li>Report recovery options </li></ul><ul><li>Obtain management approval </li></ul>
    45. 45. III – Recovery strategies <ul><li>Recovery strategies are based on MTDs </li></ul><ul><li>Predefined </li></ul><ul><li>Management-approved </li></ul>
    46. 46. III – Recovery strategies <ul><li>Different technical strategies </li></ul><ul><li>Different costs and benefits </li></ul><ul><li>How to choose? </li></ul><ul><li>Careful cost-benefit analysis </li></ul><ul><li>Driven by business requirements </li></ul>
    47. 47. III – Recovery strategies <ul><li>Strategies should address recovery of : </li></ul><ul><ul><li>Business operations </li></ul></ul><ul><ul><li>Facilities & supplies </li></ul></ul><ul><ul><li>Users (workers and end-users) </li></ul></ul><ul><ul><li>Network, data center (technical) </li></ul></ul><ul><ul><li>Data (off-site backups of data and applications) </li></ul></ul>
    48. 48. III – Recovery strategies <ul><li>Technical recovery strategies –data </li></ul><ul><ul><li>Backups of data and applications </li></ul></ul><ul><ul><li>Off-site vs. on-site storage of media </li></ul></ul><ul><ul><li>How fast can data be recovered? </li></ul></ul><ul><ul><li>How much data can you lose? </li></ul></ul><ul><ul><li>Security of off-site backup media </li></ul></ul><ul><ul><li>Types of backups (full, incremental, differential, etc.) </li></ul></ul>
    49. 49. IV – BCP development / implementation <ul><li>Detailed plan for recovery </li></ul><ul><ul><li>Business & service recovery plans </li></ul></ul><ul><ul><li>Maintenance </li></ul></ul><ul><ul><li>Awareness & training </li></ul></ul><ul><ul><li>Testing </li></ul></ul>
    50. 50. IV – BCP development / implementation <ul><li>Sample plan phases </li></ul><ul><ul><li>Initial disaster response </li></ul></ul><ul><ul><li>Resume critical business operations </li></ul></ul><ul><ul><li>Resume non-critical business ops </li></ul></ul><ul><ul><li>Restoration (return to primary site) </li></ul></ul><ul><ul><li>Interacting with external groups (customers, media, emergency responders) </li></ul></ul>
    51. 51. V – BCP final phase <ul><li>Testing </li></ul><ul><li>Maintenance </li></ul><ul><li>Awareness </li></ul><ul><li>Training </li></ul>
    52. 52. V – BCP final phase - testing <ul><li>Until it’s tested, you don’t have a plan </li></ul><ul><li>Kinds of testing </li></ul><ul><ul><li>Structured walk-through </li></ul></ul><ul><ul><li>Checklist </li></ul></ul><ul><ul><li>Simulation </li></ul></ul><ul><ul><li>Parallel </li></ul></ul><ul><ul><li>Full interruption </li></ul></ul>
    53. 53. V – BCP final phase - maintenance <ul><li>Fix problems found in testing </li></ul><ul><li>Implement change management </li></ul><ul><li>Audit and address audit findings </li></ul><ul><li>Annual review of plan </li></ul><ul><li>Build plan into organization </li></ul>
    54. 54. V – BCP final phase <ul><li>Self-assessment </li></ul><ul><li>A BCM self-assessment process plays a role in ensuring that an organization has a </li></ul><ul><ul><li>robust, </li></ul></ul><ul><ul><li>effective </li></ul></ul><ul><ul><li>fit-for-purpose BCM competence and capability </li></ul></ul><ul><li>Self-assessment should be conducted against the organization's objectives. It should also take into account relevant industry standards and good practice. </li></ul>
    55. 55. V – BCP final phase <ul><li>Audit </li></ul><ul><li>The organization should provide for the independent audit of its BCM competence and capability to identify actual and potential shortcomings. </li></ul><ul><li>It should establish, implement and maintain procedures for dealing with these. </li></ul><ul><li>Independent audits should be conducted by competent persons, whether internal or external. </li></ul>
    56. 56. BCM Awareness <ul><li>The organization should raise, enhance and maintain awareness by maintaining an ongoing BCM education and information program for all staff. </li></ul><ul><li>Such a progra m may include: </li></ul><ul><li>A consultation process with staff throughout the organization concerning the implementation of the BCM program; </li></ul><ul><li>D iscussion of BCM in the organization's newsletters, briefings, induction program or journals; </li></ul>
    57. 57. BCM Awareness <ul><li>I nclusion of BCM on relevant web pages or intranets; </li></ul><ul><li>L earning from internal and external incidents; </li></ul><ul><li>BCM as an item at team meetings; </li></ul><ul><li>E xercising continuity plans at an alternative location (e.g. a recovery site); and </li></ul><ul><li>V isits to any designated alternative location (e.g. a recovery site). </li></ul>